In general, a so-called LAN which is structured closed in an organization such as a company, is frequently operated in a form connected to external networks such as the Internet, since it is necessary to make web pages public for the purpose of exchanging electronic mails, publicity and advertisement, and electronic commercial transactions. The security management of the LAN operated in this form is usually performed by device of router setting or constructing a firewall.
However, for example, in such as a case that access has to be permitted to an employee who is out of the office to an in-house computer, security is the other side of convenience, and with just the router setting or a firewall, unauthorized entry from an external network cannot be completely prevented. Further, the above security is powerless against unjust acts of so called an “insider.”
On the other hand, as is well-known, history information stored and managed in various devices in the LAN, so called log information, are often used for security management. Since log information includes a lot of information useful for security management, such as access history from external networks, by researching and analyzing such information, for example, how an unjust act was performed, what the target was, where the intruder came from, which is the damaged file or data, may be grasped in detail. Thus, the log information is extremely effective in conducting a tracing investigation performed after an unjust act.
However, in general, information included in the log information is large, and a considerable amount of labor is needed for analysis work of such information. Further, in order to analyze such information and extract useful information, it requires such appropriate techniques and experience, and there are many cases where even if useful information is included it is not sufficiently utilized. Furthermore, when many devices are operating in the LAN, it is extremely troublesome to collect necessary log information from each of the devices.
On the other hand, monitoring of unjust acts or tracing investigation, may be performed by utilizing not only log information but also communication packets flowing in the LAN. Generally, the number of communication packets flowing in the LAN is huge, and when performing such as monitoring of unjust acts utilizing communication packets, such appropriate skill or knowledge is required.